Protecting Your Church Website: Internet Security for Churches

The last few days I’ve seen a statistic flying around the internet: “You are three times more likely to get a virus from a church website than you are from a porn website.”

This isn’t just internet rumor, it’s based on 2011 data collected by Symantec, one of the leading internet security firms. That data is now a few years old (even as it makes the rounds again), but in the wake of several major security breaches, the lesson still stands: online protection is important!

Here are a few important things to keep in mind:

“Obscurity” is Not Adequate Protection. Churches build websites, by-and-large, because they are interested in attracting attention from potential visitors online. The point of the website is to be found. Notwithstanding this, most individual church websites are not generating major amounts of traffic. So, many churches think, given that we don’t have a lot of visitors and (usually) don’t store a lot of personal data on our website, we’re not going to be a target. The problem with this mindset is that increasingly online attacks are automated. There isn’t a hacker looking at your website making a conscious decision about whether or not to target you, there is a program scanning lots of websites looking for ones with known security vulnerabilities. If yours pops up and they find that vulnerability, they will automatically exploit it regardless of your traffic ratings.

The More Things Are Connected, the Higher the Risk. If all roads used to lead to Rome, increasingly they all lead to the web. And the more interconnected our systems become, the more a breach of one system can easily be a breach of others. Remember that major hack at Target a few months ago. Turns out that Target’s systems were not the point-of-entry for the attackers: they hacked the system of a HVAC sub-contractor that had worked with Target and used information they stole from that company to access Target’s internal networks. Most church websites don’t contain lots of personal data in their database. But if your website (or the computers you access them with) are linked to things like your church management system, accounting records, or member database, then vulnerabilities on your church website can also put those systems at risk.

Your Website May Not Be the Ultimate Target. Most malware (a program that does bad things) isn’t really interested in taking down your website. They’ve got bigger fish to fry, and you’re website is probably just the launching pad. Often, malware that infects your website is intending to install itself on the computers of your website’s users. It’s parasitic: your website is the host through which it can spread it’s infection to others who are of higher value: your church members whose personal computers likely contain a treasure trove of their own personal information ready to be exploited. So the issue for churches is not just about your website: it’s about protecting your members (and potential new visitors) from internet attackers.

Almost always, the goal of malware is to steal data. In the digital age, data is king. If you have someone’s personal data, you can use that to access their financial resources yourself, or you can sell that data and possibly make even more from it. The majority of malware that attacks personal computers is designed to collect that data, with varying degrees of nefarious means and motives (ranging from tracking your internet browsing to sell your profile to advertisers to outright identity theft or stealing from your bank accounts). The same can be said of most, though not all, hacking attacks (which often use malware as their vehicle for obtaining data). Ultimately, the two usually have the same motivation, and protection from the two follows similar patterns.

Now that we have a better grasp of the scope and the seriousness of the problem, what can you do to combat it?

The first step is to make sure your computers are protected. Malware frequently leap-frogs from machine to machine and system to system, and your office computers can easily be the lily-pad they use. So step one is to install reliable virus/malware protection software on every machine used by your staff and then perform regular updates and scans. Three good companies to look at for protection software are Symantec, McAffee, and Webroot.

Depending on your church size and resources, a possibility you might consider is offering a subscription to one of these services as a courtesy to your church members. Many of these companies offer group packages that can be purchased and made available for download to your members at a relatively low cost-per-user. Many people today already have security software loaded on their computers, so this is not an absolute requirement, but if you suspect there’s a problem with your website or want to reassure your members, this can be a nice thing to do.

The second step is to make sure that your church technology infrastructure is set-up securely. A few basic steps to keep in mind:

1. Make sure your staff always use a secure/password-protected internet connection. One of the most basic ways that vulnerabilities can be found or data stolen is by intercepting communications sent over a network connection, which you can easily circumvent by protecting your network with a password. My recommendation would be to have a separate network for staff which uses a cryptic network key (ie, not something easily remembered). You’ll only have to input the key once for each machine and then you can save it, so this isn’t a huge hassle, and it ensures that a would-be hacker can’t easily guess your staff password and get access to your secure network. As a courtesy to guests, you should also have your “public” network password secured, even if the password for that network is much easier to remember, so that their data isn’t open to the public.
2. Require staff passwords for email, website, and database administration to be “strong” passwords. This means they need to be long, contain special characters and numbers, and be something that would be very hard to guess (in other words, not the church name, a bible verse, or their favorite sports team). Guessing staff passwords is an easy way for attackers to gain access to your system, so make that as difficult as you can. To make things easier on your staff, you can use a password manager that will store and auto-enter passwords for them when they log-into frequently used websites or programs, just make sure their list of saved passwords is protected by a strong “master password.”
3. Consider using an SSL certificate for your website. An SSL certificate provides a layer of protection for your website by certifying that you are who you say you are. It creates an encrypted communication channel which prevents information transferred between users and your site from being intercepted or monitored. This is considered essential for any site that is conducting online transactions. It’s also important to consider if you have a “member area” on your site that requires users to login or input other personal information. Even if your online donations are handled by a service such as PayPal or your member-area is through a service such as ACS that takes users away from your site to their own secure page, it’s worth considering purchasing a SSL certificate for your site to provide more assurance to your users that your website (and their data) is secure.
4. Hire a professional to build your website. The number one contributing cause to sites being vulnerable to attack or infection that was identified by Symantec when they first reported church websites to be three times more likely than porn to contain a virus: sites being built by volunteers in the church who didn’t understand proper internet security measures. Hiring a professional seriously helps protect you and your church members, it’s worth the investment.
5. Use popular content management systems instead of obscure, niche ones. We here at Søren Media Group are very vocal about using open-source software, like WordPress, to build websites. There are lots of advantages to this, such as a lower cost to you and getting to reap the benefits of a large community of active developers. Another great benefit: better security. Popular web-development platforms like WordPress are routinely updated to reflect security changes, which helps keep you safer. Of course, they aren’t totally secure (no website is), but they are more secure than smaller niche platforms that are updated less frequently and much more secure than hand-crafted websites that may or may not get security updates at all.
6. Move the rest of your tech infrastructure to the cloud instead of hosting locally. I know, I know, all those celebrities photos got hacked out of their iCloud accounts. But here’s the thing: cloud-based services such as Quickbooks, GoogleApps, or ACS Realm have the backing of much larger companies that are investing significant time, money, and resources into internet security. No matter what the size of your local church, you cannot match their security budget or their staff. And remember what we said about attacks being automated: it doesn’t matter that your church server is small and obscure, it can be found and if vulnerable hacked/infected. It’s much better to rely on the security infrastructure of a larger entity than to try to maintain your own. Plus, ditching your local server will probably save you money.
7. Install trusted, professional security software on your website. Even for professional web developers, the constantly changing nature of internet security threats is too much to stay entirely up-to-speed on. That’s why there is an entire industry of specialists who work on nothing but internet security! Using the tools they provide is invaluable. Aside from software that protects your individual computer, they also provide resources to protect websites from infection. Søren Media Group always installs security plug-ins on the sites we build to scan for infections and protect against hacking attacks. We can also add additional security tools, such as SiteLock malware protection, to your account.

There is much, much more that could be said about internet security, but these are a few basic steps that can be taken to protect your church members and their personal data.

Let us hear from you: have you experienced infected or compromised church websites and IT systems? Do you have additional tips for us? What security products have you used?